Using OPNsense 20.7.3-amd64 I have set up openvpn server with for remote access when I'm mobile or remote and joining few remote sites I frequently visit.
I have the server as ssl/tls|tcp|tun|dynamic ip|addr pool|topology. I have /24 as tunnel network and /16 as local network (so that I can join and route all remote sites). As single user I can connect from anywhere and successfully use the tunnel. The problem comes when I join remote sites.
Single users and remote sites have the same client configuration. The only difference is that for remote sites I have set up "client specific overrides" on the openvpn server.
And the only thing I specify is "ipv4 remote network", so that when this client joins and gets any (dynamic) ip from the vpn pool, openvpn activates the route to it's remote subnet.
All goes very well except for the final part - injecting the remote network routes to kernel routing table. All routes are correctly shown in OpenVPN > Connection Status > Routing Table, but are missing from OS' routing table thus I can't reach the remote sites (their subnets are routed via the default gateway on WAN interface).
Does anybody used it this way and seen the same problem?
You still need to specify all local and remote networks in the main server. In client specific override you specify which client will use it.
I'd do a separate instance for remote access and one for site2site.
Have this already in production and works really fine
Quote from: mimugmail on October 15, 2020, 10:23:48 PM
I'd do a separate instance for remote access and one for site2site.
Have this already in production and works really fine
Yes that's definitely the way I would recommend. Have it in production like that.
Yup, I can think of hundred alternative ways of doing it, but was wondering why it's not working this particular way. And since all seem to logical and available as configuration options, but not actually working I'm almost certain it's a bug.
A bug? No. Maybe it's not very intuitive.
All involved networks need to be defined in the main server to be added to the routing table. The client specific override only configures which client is getting which local networks and which remote networks are on the other side of the peer.
A bug the UI doesnt do what you want or OpenVPN itself doesnt do? Maybe better check the different OpenVPN.conf output and ask at OpenVPN forum?
Quote from: Gauss23 on October 16, 2020, 06:47:11 AM
A bug? No. Maybe it's not very intuitive.
All involved networks need to be defined in the main server to be added to the routing table. The client specific override only configures which client is getting which local networks and which remote networks are on the other side of the peer.
What you are saying sounds logical, although it doesn't work.
Will try to be more exact with my example:
1. I have two remote networks 192.168.10.0/24 and 192.168.20.0/24 available for two different sites.
2. Local ipv4 network configured in openvpn server is 192.168.0.0/16.
3. In client specific configuration I enter first subnet to site1, the second to site2.
4. Both sites connect, receive the /16 route.
5. Opnvpn server shows 192.16.10.0/24 routed to site1 and 192.168.20.0/24 to site2 in connection status > routing table exactly as it should, since that's how it's configured.
6. The same routes does not exist in OS routing table and they can't be reached unless manually defined.
I have tried what you suggest - to add all remote subnets in openvpn's main configuration, then have them split in client specific configuration for each client. Unfortunately the result is that both subnets get routed to the first client to connect the openvpn server.
It's either a bug or having "Tunnel Network" in client specific options available makes no sense.
Please send screenshot of server configuration.
A 192.168.0.0/16 network as local but you want 192.168.10.0/24 and 192.168.20.0/24 as remote networks? How should that work? 192.168.0.0/16 includes both of your remote networks. Doesn´t make sense to me.
Having /16 on all sites routed to the central unit makes possible for site1 to talk to site2 via the central server without the need of having mesh topology with vpns between all sites. Nothing strange in that, no network rule has been violated :)
Still no screenshot
Quote from: Gauss23 on October 16, 2020, 04:22:05 PM
Still no screenshot
Well if the pictures will make it clearer, here they are :)
I haven't attached encryption and authentication as they are out of scope and will work fine.
Are you sure your client specific overrides are executed?
I needed to check "Force CSO Login Matching" to make it work.
Sorry, but incomplete screenshots are useless, really, it's always a small detail.
Quote from: Gauss23 on October 16, 2020, 06:56:12 PM
Are you sure your client specific overrides are executed?
I needed to check "Force CSO Login Matching" to make it work.
Well, yes, because I see the routes in openvpn status like so:
Quote from: mimugmail on October 16, 2020, 07:03:29 PM
Sorry, but incomplete screenshots are useless, really, it's always a small detail.
Here are the main/crypto too. So that all configuration options are available.
err
err
I don't use "Use topology" in my site2site config.
And I think you should add the remote networks in the main server as two seperate entries
What does your routing table look like when the clients are connected?
- Mode Peer 2 Peer is for single Site 2 Site
- Single S2S needs local and remote
- Remote Access allows multiple S2S but separation via CSC
- Dont use Tunnel network inside local or remote
That's the OS routing table:
# netstat -nr
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 78.130.196.1 UGS em0_vlan
-.-.-.0/24 link#6 U em0_vlan
-.-.-.15 link#6 UHS lo0
127.0.0.1 link#3 UH lo0
192.168.1.0/24 link#1 U em0
192.168.1.1 link#1 UHS lo0
192.168.255.0/24 172.16.255.2 UGS ovpns1
192.168.255.1 link#8 UHS lo0
192.168.255.2 link#8 UH ovpns1
Third from the bottom is suspicious. It should not exist at all since that's the openvpn pool subnet.
If I add both 10/24 and 20/24 subnets (separated by comma) to the main openvpn configuration they both get routed to the first client to connect, no matter what client specific network I have for each client/site.
Quote from: mimugmail on October 16, 2020, 07:47:19 PM
- Mode Peer 2 Peer is for single Site 2 Site
- Single S2S needs local and remote
- Remote Access allows multiple S2S but separation via CSC
- Dont use Tunnel network inside local or remote
Thanks for bringing that up. That was new to me. Perfect hint.
So he just needs either 2 site-2-site OpenVPN servers or one with remote-access with CSO/CSC for site-2-site. Right?
I give up and started from beginning. One OpenVPN instance for remote access, second instance for site to site.
Do I have to see files in /var/etc/openvpn-csc for each client? I have client specific configurations in the GUI, but I see no config files produced on the file system.
I think it fails at ovpn_setup_cso.php:
if (!empty($all_cso[$vpnid][$common_name])) {
$common_name is empty.
Current screenshots when you started over ...
Quote from: mimugmail on October 17, 2020, 10:48:23 AM
Current screenshots when you started over ...
Here they are.
And some more...
Quote from: nothing on October 17, 2020, 08:00:31 AM
I give up and started from beginning. One OpenVPN instance for remote access, second instance for site to site.
Do I have to see files in /var/etc/openvpn-csc for each client? I have client specific configurations in the GUI, but I see no config files produced on the file system.
Unfortunately you seem to have missed:
Quote from: mimugmail on October 16, 2020, 07:47:19 PM
- Mode Peer 2 Peer is for single Site 2 Site
- Single S2S needs local and remote
- Remote Access allows multiple S2S but separation via CSC
- Dont use Tunnel network inside local or remote
Because you created again a Peer-to-Peer server. CSC/CSO is not needed here because it is for a single connection.
CSO/CSC is only for Remote-Access as far as I understood mimugmail.
So either you create two seperate Peer-to-Peer OpenVPN servers (on different ports for example) or you try setting up a remote access server with CSO for two site-to-site connections.
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
Here is what i've just found. Those guys seems to have it the official docs.
Quote from: mimugmail on October 16, 2020, 07:47:19 PM
- Dont use Tunnel network inside local or remote
If I understand this corectly site to multisite is not possible since the sites will have routing only to center gateway, but not to other sites?!
Quote from: nothing on October 17, 2020, 01:06:45 PM
https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-s2s-tls.html
Here is what i've just found. Those guys seems to have it the official docs.
If you would have followed that instructions you would have added the remote networks in the main server. See screenshot.
Apart from that it´s a pfSense docu, so maybe they are handling stuff differently.
Right. Finally I got it to work. You are right - after all the changes and tests, I've missed to add all remote networks in main server configuration, then split them via CSC.
The OS routing table looks wrong, but it works:
172.16.40.0/24 172.16.255.2 UGS ovpns2
172.16.50.0/24 172.16.255.2 UGS ovpns2
172.16.255.0/24 172.16.255.2 UGS ovpns2
172.16.255.1 link#9 UHS lo0
172.16.255.2 link#9 UH ovpns2
As it shows both subnets 40 and 50 are routed to 255.2, which belongs to site1, but access to subnet 40, which belongs to site2 is still accessible, although it's router is 255.6.
Chears and thanks!